Another day, another hack . Cyberfort discusses what organisations should be doing to protect themselves.

BBC News

Unfortunately, another day passed and another key supplier reveals they have been compromised. This time the impact on its customers could be extensive. Richard Braganza, Head of Offensive Security here at Cyberfort , tells us why news like this no longer a surprise and what in reality organisations can do to try and protect themselves.

Following the news of the MoveIT hack there are a number of big brand names who will have been burning the midnight oil trying to work out how they handle the fall out for themselves. Even worse the staff of these companies are now feeling the pain, and the worry that comes with it, of what appears a possible release of staff bank details and other private information. We have grown accustomed to these headlines of ‘yet another breach’ at ‘yet another supplier’. It’s like Covid, in that it is not going away anytime soon and we just need to come to terms with this state of affairs.

Judging by prior compromises, there will be calls to action, the affected suppliers and their clients will feel the pain in the balance sheet. Their brands may even become synonymous with how not to do cyber security. Turbulent waters lie ahead, but they will calm down, eventually.

Right now, Compliance and Purchasing departments up and down the land are reviewing the fine details of their supplier security policies to give their Exec Boards some kind of re-assurance a MoveIT like compromise won’t happen to them. This effectively boils down to asking their suppliers ‘do you patch?’. I am just not sure that would have helped in this situation. According to news reports it appears it was a SQL injection bug zero day. So, no patches would have been available. Given the state of modern software development frameworks the vulnerability was either there a long time ago, or, the developers aren’t utilise these modern frameworks. Modern frameworks make it very difficult to introduce SQL injection bugs into modern code.

So, what questions should Compliance and Purchasing departments be asking? The conversation should go something like this:

Hello, Supplier, can you please provide the evidence of the following please:

• You performed independent pen tests, at least annually, on what you are going to supply me and can I see the executive summary of the last pen test showing the scope and date of the test?
• That you ensured your development team, whether in house or outsourced, have had regular secure code training?

This is an example of good supply chain risk management (follow Cyberfort for an upcoming blog on this topic). Armed with answers to questions like these, suppliers who meet these best practices will help de-risk the supplier onboarding process.

At Cyberfort we can support you with the design and management of a proactive supply chain management system with supporting policies along with conducting penetration tests and train development teams to understand the importance of security by design, which can help give your customers the confidence they will be seeking. It is often said that ‘Security’ as a function doesn’t generate revenue, but Secure by Design is definitely a selling point: in this day and age it will differentiate you from your competitors. But that doesn’t help the customer organisations who buy in specialist software. Cyberfort can also assist buying organisations with creating the policies and processes that their supply chain can sign up to undertake if they want that business.